MyFitnessPal Data Breach
On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.
[…]
The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.
So, apparently none of the app-specific data.
It’s a little scary that this went undetected for a month. Makes me wonder how many of these data breaches are never noticed.
Update (2018-04-03): Dave Teare:
Many companies hide from the truth and make things much worse for themselves and their customers. Instead, MyFitnessPal did it right. Not only did they handle the disclosure with finesse, they also had excellent systems in place to limit the exposure of the leak.
MyFitnessPal provides a great case study on how to handle a data breach and protect customer information.
[…]
For those looking to learn more about the MyFitnessPal breach, Troy Hunt started his Weekly Update 80 with a full discussion on the subject that I found very intriguing, especially the strategy on how to migrate from a SHA-1 hash to using bcrypt.
I agree with Dave Teare, pleasantly surprised by the response. I was not effected (not a user), but I have a client who could have been exposed to the data breach.